T1578: Modify Cloud Compute Infrastructure
An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.
Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vk_cloud: PT-CR-2103: VK_Cloud_VM_Metadata_Contains_Sensitive_Value: Sensitive data was detected in the custom metadata of a virtual machine, which can lead to the compromise of the cloud infrastructure
vk_cloud: PT-CR-2105: VK_Cloud_VM_Security_Group_Operation: A user who is not on the allowed users list changed a security group list of a virtual machine, which may indicate an attacker's attempt to change the network configuration
vk_cloud: PT-CR-2291: VK_Cloud_Critical_VM_Operation: An untrusted user performed an operation on a critical virtual machine in VK Cloud. \nAttackers can gain access to critical virtual machines, manage them, and change their configuration, including network configuration. This allows them to interfere with the operation of critical virtual machines, disclose information stored on them, and prepare the environment for further attacks.
vk_cloud: PT-CR-2292: VK_Cloud_VM_Public_Address_Assign: A virtual machine was assigned a public IP address, which may indicate an attacker's attempt to change the network configuration
vk_cloud: PT-CR-2305: VK_Cloud_Critical_DB_Operation: An untrusted user performed an operation with a critical database in VK Cloud.\nAttackers can bypass protection or gain persistence in the system by changing or deleting a critical database, or creating its backup or a new user in it. These operations allow attackers to access sensitive information stored in the database and use it to further compromise the system.
vk_cloud: PT-CR-2306: VK_Cloud_New_VM_from_Critical_Objects: A user created a virtual machine from a copy of a critical object in VK Cloud. Such operations allow attackers to access data stored on critical objects outside of the area protected by security systems and hide the evidence of their activity. In addition, attackers may try to pass off their virtual machine as a legitimate device.
vk_cloud: PT-CR-2307: VK_Cloud_Critical_Objects_Clone: Cloning and creating snapshots and backups of disks attached to critical virtual machines in VK Cloud.\nAttackers can use copies of critical objects to access the data stored on them, create their own virtual machines outside of the area protected by security systems, and hide the evidence of their activity. The obtained data can then be used to further compromise the system.
Subtechniques
Detection
ID | DS0034 | Data source and component | Volume: Volume Metadata | Description | Periodically baseline cloud block storage volumes to identify malicious modifications or additions. |
---|
ID | DS0030 | Data source and component | Instance: Instance Stop | Description | Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to deactivation of instances that are occurring outside of planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Deletion | Description | Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the deletion of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0034 | Data source and component | Volume: Volume Deletion | Description | Monitor for the unexpected deletion or absence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Creation | Description | Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0030 | Data source and component | Instance: Instance Modification | Description | Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to snapshots and rollbacks and VM configuration changes, that are occurring outside of normal activity. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0030 | Data source and component | Instance: Instance Deletion | Description | The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. In AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM. |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Metadata | Description | Periodically baseline snapshots to identify malicious modifications or additions. |
---|
ID | DS0025 | Data source and component | Cloud Service: Cloud Service Metadata | Description | Monitor for quota increases across all regions, especially multiple quota increases in a short period of time or quota increases in unused regions. Monitor for changes to tenant-level settings such as subscriptions and enabled regions. |
---|
ID | DS0030 | Data source and component | Instance: Instance Creation | Description | The creation of a new instance or VM is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, the creation of an instance by a new user account or the unexpected creation of one or more snapshots followed by the creation of an instance may indicate suspicious activity. In AWS, CloudTrail logs capture the creation of an instance in the RunInstances event, and in Azure the creation of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances create to create a VM. |
---|
ID | DS0034 | Data source and component | Volume: Volume Modification | Description | Monitor for the unexpected changes to cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0020 | Data source and component | Snapshot: Snapshot Modification | Description | Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the mounting of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0030 | Data source and component | Instance: Instance Start | Description | Establish centralized logging of instance activity, which can be used to monitor and review system events even after reverting to a snapshot, rolling back changes, or changing persistence/type of storage. Monitor specifically for events related to activation of instances that are occurring outside of normal activity/planned operations. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
ID | DS0030 | Data source and component | Instance: Instance Metadata | Description | Periodically baseline instances to identify malicious modifications or additions. |
---|
ID | DS0034 | Data source and component | Volume: Volume Creation | Description | Monitor for the unexpected creation or presence of cloud block storage volumes . To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones. |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Limit permissions for creating, deleting, and otherwise altering compute components in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies. |
---|
ID | M1047 | Name | Audit | Description | Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components. |
---|